System Gen159 @ 2025-04-23-00:25:53

2025-04-23 00:25:54 +02:00
parent 376909ae22
commit 99e902a08d
9 changed files with 182 additions and 0 deletions
--- a/modules/networking/wireguard/client.nix
+++ b/modules/networking/wireguard/client.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.networking.wg.client;
+  peers = import ./peers.nix {};
+in {
+  options.networking.wg.client = {
+    enable = lib.mkEnableOption "Enable WireGuard client";
+    privateKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Path to the private key file for the WireGuard client";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.wg-quick.interfaces.wg0 = {
+      inherit (peers.jonas) address;
+      inherit (cfg) privateKeyFile;
+
+      peers = [
+        peers.harbor
+      ];
+    };
+  };
+}
--- a/modules/networking/wireguard/default.nix
+++ b/modules/networking/wireguard/default.nix
@@ -0,0 +1,3 @@
+{...}: {
+  imports = [./client.nix ./server.nix];
+}
--- a/modules/networking/wireguard/peers.nix
+++ b/modules/networking/wireguard/peers.nix
@@ -0,0 +1,20 @@
+{}: {
+  harbor = {
+    publicKey = "aFl1ILLtKQkXctqzMZQxgnfLtSrKabs4NO2fZExeKWE=";
+
+    # Forward all trafic to the VPN.
+    allowedIPs = ["0.0.0.0/0"];
+
+    # Server endpoint to connect to.
+    endpoint = "173.249.42.252:51820";
+
+    # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+    persistentKeepalive = 25;
+  };
+
+  jonas = {
+    publicKey = "oPMapC1S3TPe+/YQulG0AsVsOu+MzZY7huvAAXVJEnM=";
+    address = ["10.10.10.2/24"];
+    allowedIPs = ["10.10.10.2/32"];
+  };
+}
--- a/modules/networking/wireguard/server.nix
+++ b/modules/networking/wireguard/server.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  cfg = config.networking.wg.server;
+  peers = import ./peers.nix {};
+in {
+  options.networking.wg.server = {
+    enable = lib.mkEnableOption "Enable WireGuard server";
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 51820;
+      description = "Port for WireGuard server";
+    };
+    privateKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Path to the private key file for the WireGuard server";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Firewall and NAT configuration
+    networking.firewall.allowedUDPPorts = [cfg.port];
+    networking.nat.enable = true;
+    networking.nat.externalInterface = "eth0";
+    networking.nat.internalInterfaces = ["wg0"];
+
+    # Interface with NAT for internet routing
+    networking.wireguard.interfaces."wg0" = {
+      ips = ["10.10.10.1/24"];
+      listenPort = cfg.port;
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
+      '';
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      inherit (cfg) privateKeyFile;
+
+      peers = [
+        peers.jonas
+      ];
+    };
+  };
+}